The Adtran Netvanta 7100 (NV7100) is an "Office in a Box"
appliance offering data and VoIP services on a single
platform. In October 2011, I discovered there were some
vulnerabilities in the platform and contacted the vendor.
The initial disclosure revolved primarily around cross
site scripting attacks, where via crafted URIs an attacker
would have been able to trick users into performing a
variety of attacks, local to the users machine, or, if
given enough privileges, re-directed back to the NV7100.
After disclosing the issue, Adtran began fixing up these
initial issues however, in parallel, I then found others
which were similar in nature, but affecting other areas
of the NV7100.

II. DESCRIPTION

For a description of XSS, injection attacks, authentication
bypass, please see OWASP material on this subject.

The NV7100's main issue (and the reason for the LONG release
of a patch) revolved around userapp/loginAction.html where
an attacker was able to inject code regardless of
authenticating. In the initial report, there was some
miscommunication on my behalf, as well as some vendor
misinterpretation of what was occurring. An attacker DOES
NOT NEED credentials to pull off a successful attack and
no POC code will be made publicly available to demonstrate.
The vendor was given a video that illustrated the who,
what, when, where and why.

III SOLUTION

Adtran released a firmware update, and advisory of their
own to resolve this issue however, in the interim, these
appliances should NEVER face the public internet, and
should be isolated via VLANs or firewalls to minimize abuse.

https://supportforums.adtran.com/docs/DOC-6414

IV. TOOLS USED

Wikto, Burpsuite, WVS, perl kung fu, Firefox

V. History

This was reported in 2011 and throughout the past two years,
Adtran has been fixing the issues I have been coming across.
Initially, the advisory began with over 52 different means
of attacks and over the course of two years, Adtran has
diligently addressed each and every vulnerability, as
recently as August 2013. While I would have preferred
placing a timeline, the reality is, two years is a long time
to go back and forth with a vendor on security issues.

VI. Renegotiation

There was also an SSL renegotation issue that was discovered
and addressed during the process of sorting out the XSS
issues.